07-21-2020 02:40 PM - edited 07-22-2020 08:18 AM
Hi, I know by default higher security interfaces can access lower security interfaces but not the other way around, unless you use an ACL on the lower security interface to allow permission the the higher security interface/resource. However let's say a remote VPN user gets assigned an ip from the VPN pool and those ips are also part of the admins vlan. Will that VPN user be treated as the like host connect from inside that vlan. So will the VPN user be able to access all host inside the admins vlan or because its a VPN user be treated differently. Will i need ACLs to permit the remote VPN user to connect to services inside the admins vlan, if so where do i specify the ACL on the outisde interface or under the tunnel group.
tia, Paul
07-21-2020 02:49 PM
Depends on your deployment.
in general, you need ACL for the VPN user IP pool to access the internal LAN address.
here is the document :
07-21-2020 07:23 PM
@balaji.bandi The local LAN in the document you linked refers to the client's local LAN - not the remote site LANs or subnets.
@paul amaral the following may be useful for you to understand:
Configure the sysopt connection permit-vpn command, which exempts traffic that matches the VPN connection from the access control policy. The default for this command is no sysopt connection permit-vpn, which means VPN traffic must also be allowed by the access control policy.
07-22-2020 04:44 AM
As @balaji.bandi has mentioned, this depends on your network setup. If you have no other security features in place to control access to your network devices and the VPN user receives an IP from within the Admin VLAN, those users will also be able to connect to your network devices accessible from the Admin VLAN (granted they would also need a user that has login rights to those network devices).
An option, in addition to what has already been mentioned, and which I believe is a better option, is to use the VPN filter feature. This will allow you to apply an access list specifically to the VPN connection in question. This is configured in the group policy that is assigned to the AnyConnect VPN Connection profile.
Idealy you would have the Admin subnet and user subnet separate.
07-22-2020 08:45 AM
Marius/Marvin
1st thanks for the response, I know about the the VPN filter and I am not using it. I need the remote user to have full access into the admin vlan 192.168.2.0/24. Currently the remote vpn user gets and ip from a pool. It gets an ip in the range of 192.168.2.90-99. Im assuming because that ip is part of the admin vlan that get full access and I dont need ACLs to allow the VPN user into the admin vlan?? this is what im trying to accomplish.
When testing, I login remotely and i get assigned 192.168.2.92 and i can ping 192.168.2.131 and i can also query that dns server. So am i right to assume that the remote vpn user is seen as part of that vlan. The weird thing is if use packet tracer to test icmp/dns from 192.168.2.92 to 192.168.2.131 it fails but it works once im connected via the VPN. I ask this because the remote user suposedly is not connecting to a windows AD sever on the admin/192.168.2.0 network and im wondering if i have missing permissions. I guess i can use the sysopt connection permit-vpn option to temporally test things. Also will if there is no vpn filter does that mean its allowing everything?
vlan 102
nameif ADMIN
security-level 50
ip address 192.168.2.1 255.255.255.0
!
object network remote_vpn
range 192.168.2.90 192.168.2.99
nat (WAN,ADMIN) source static remote_vpn remote_vpn destination static ADMINSTAFF_net ADMINSTAFF_net no-proxy-arp
! I think I should probably have ADMIN,WAN static so its not translated back to the WAN ip when responding
tunnel-group xx type remote-access
tunnel-group xx general-attributes
address-pool xx
default-group-policy xx
ip local pool xx 192.168.2.90-192.168.2.99 mask 255.255.255.0
Paul
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide